New issue
Advanced search Search tips
ListGrid
Loading...
  ID Type  Status  Priority  Milestone  Owner  Summary + Labels ...
  43 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized data whilst rendering JPEGs  
  44 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized data whilst rendering a 2-component JPEG  
  45 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized memory when rendering valid(?) 1bpp image  
  46 ---- Fixed ---- ---- cevans@google.com Flash heap buffer overflow calling copyPixelsToByteArray() on a large ByteArray CCProjectZeroMembers  
  47 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized data when image zlib stream ends prematurely CCProjectZeroMembers  
  48 ---- Fixed ---- ---- cevans@google.com Flash leak of uninitialized data when JPEG image alpha channel zlib stream ends prematurely CCProjectZeroMembers  
  71 ---- Fixed ---- ---- cevans@google.com Flash out-of-bounds read in uploadCompressedTextureFromByteArray() CCProjectZeroMembers  
  75 ---- Fixed ---- ---- cevans@google.com Flash out-of-bounds read with empty ID3 tag CCProjectZeroMembers  
  76 ---- Fixed ---- ---- cevans@google.com Flash memory corruption (double free?) with RTMP packet that aborts itself CCProjectZeroMembers  
  78 ---- Fixed ---- ---- cevans@google.com Flash memory corruption (integer overflow?) concatenating strings to ~4GB in size CCProjectZeroMembers  
  79 ---- Fixed ---- ---- cevans@google.com Flash out-of-bounds read with large string length in RTMP packet CCProjectZeroMembers  
  82 ---- Fixed ---- ---- cevans@google.com Flash out-of-bounds read in uploadCompressedTextureFromByteArray() [CubeTexture variant] CCProjectZeroMembers  
  93 ---- Fixed ---- ---- cevans@google.com Flash memory corruption in Actionscript 2 Array.join CCProjectZeroMembers  
  106 ---- Fixed ---- ---- cevans@google.com Flash logic error in bytecode verifier CCProjectZeroMembers  
  109 ---- Fixed ---- ---- cevans@google.com Flash heap overflow in bytecode verifier CCProjectZeroMembers  
  112 ---- Fixed ---- ---- cevans@google.com Adobe Flash incorrect jit optimization with op_pushwith CCProjectZeroMembers  
  113 ---- Fixed ---- ---- fjserna@google.com Flash 14 on IE11, readAV crash on xmm instruction CCProjectZeroMembers  
  114 ---- Fixed ---- ---- cevans@google.com Adobe Flash incorrect jit optimization with op_pushscope CCProjectZeroMembers  
  115 ---- Fixed ---- ---- cevans@google.com Adobe Flash incorrect jit optimization with op_setglobalslot CCProjectZeroMembers  
  116 ---- Fixed ---- ---- cevans@google.com Flash heap buffer overflow calling Camera.copyToByteArray() with a large ByteArray CCProjectZeroMembers  
  120 ---- Fixed ---- ---- cevans@google.com Type Confusion in Setting Microphone Codec CCProjectZeroMembers  
  122 ---- Fixed ---- ---- cevans@google.com Flash memory corruption in the G711 codec with 4-byte samples CCProjectZeroMembers  
  124 ---- Fixed ---- ---- cevans@google.com Flash memory corruption when upper casing malformed Unicode CCProjectZeroMembers  
  125 ---- Fixed ---- ---- cevans@google.com Flash corruption after corrupting pre-validated bytecode CCProjectZeroMembers  
  131 ---- Fixed ---- ---- cevans@google.com Flash write crash at NULL + 0x2b288 (on 64-bit) CCProjectZeroMembers  
  150 ---- Fixed ---- ---- cevans@google.com File Reference Object Constructor Does Not Clear Destructor CCProjectZeroMembers  
  165 ---- Fixed ---- ---- cevans@google.com UaF on Adobe's Flash CCProjectZeroMembers  
  192 ---- Fixed ---- ---- cevans@google.com XMLSocket Destructor Does Not Get Cleared Before Setting User Data in connect CCProjectZeroMembers  
  199 ---- Fixed ---- ---- cevans@google.com Flash PCRE regex compilation logic issue CCProjectZeroMembers  
  205 ---- Fixed ---- ---- cevans@google.com Adobe Flash Calling Superconstructor More Than Once Can Lead to Inconsistent User Data and Destroy Func CCProjectZeroMembers  
  207 ---- Fixed ---- ---- cevans@google.com Flash: use-after-free in display list handling from KeenTeam CCProjectZeroMembers  
  208 ---- Fixed ---- ---- cevans@google.com Flash PCRE pcre_compile character class/ims options heap overflow CCProjectZeroMembers  
  209 ---- Fixed ---- ---- cevans@google.com Flash: bad cast(?) in display list handling from KeenTean CCProjectZeroMembers  
  210 ---- Fixed ---- ---- cevans@google.com Flash: bad cast during garbage collection from KeenTeam CCProjectZeroMembers  
  216 ---- Fixed ---- ---- cevans@google.com Flash PCRE regex compilation recursion offset arbitrary bytecode execution CCProjectZeroMembers  
  218 ---- Fixed ---- ---- cevans@google.com Flash heap buffer overflow due to integer overflow in JSON.stringify CCProjectZeroMembers  
  223 ---- Fixed ---- ---- ianbeer@google.com Flash heap buffer overflow when stringifying Proxy objects CCProjectZeroMembers  
  224 ---- Fixed ---- ---- cevans@google.com Flash PCRE regex compilation zero-length assertion arbitrary bytecode execution CCProjectZeroMembers  
  225 ---- Fixed ---- ---- cevans@google.com Flash PCRE regex compilation extended unicode comment arbitrary bytecode execution CCProjectZeroMembers  
  227 ---- Fixed ---- ---- ianbeer@google.com Flash UaF due to unrooted Atom array used during JSON stringification CCProjectZeroMembers  
  229 ---- Fixed ---- ---- cevans@google.com Type Confusion in NetConnection ASnative CCProjectZeroMembers  
  237 ---- Fixed ---- ---- cevans@google.com Flash: use-after-free(?) in bitmap decoding(?) from KeenTeam CCProjectZeroMembers  
  238 ---- Fixed ---- ---- cevans@google.com Flash: AGAL information leak from KeenTeam CCProjectZeroMembers  
  239 ---- Fixed ---- ---- cevans@google.com Flash: out-of-bounds write in shader handling CCProjectZeroMembers  
  244 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Setting ConvolutionFilter.matrix can write to memory that has already been freed CCProjectZeroMembers  
  246 ---- Fixed ---- ---- cevans@google.com Flash: out-of-bounds write with mp4 file missing a track CCProjectZeroMembers  
  251 ---- Fixed ---- ---- cevans@google.com Flash: memory corruption with mp4 file with lots of "trex" tags CCProjectZeroMembers  
  253 ---- Fixed ---- ---- cevans@google.com Flash: out-of-bounds write with mp4 file missing a track (alternate mp4 parser) CCProjectZeroMembers  
  254 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Type Confusion in Button.filters CCProjectZeroMembers  
  256 ---- Fixed ---- ---- cevans@google.com Flash: memory corruption with -1 length string in titl tag CCProjectZeroMembers  
  260 ---- Fixed ---- ---- cevans@google.com Adobe Flash: XML and XMLNode classes missing constructor type check CCProjectZeroMembers  
  261 ---- Fixed ---- ---- cevans@google.com Flash: memory corruption with large mp4 atom sizes CCProjectZeroMembers  
  262 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Type Confusion in Sound class CCProjectZeroMembers  
  264 ---- Fixed ---- ---- cevans@google.com Flash: memory corruption with excessive CEA-708 data block length CCProjectZeroMembers  
  265 ---- Fixed ---- ---- cevans@google.com Flash: memory corruption with CEA-708 screen cursor going off-screen CCProjectZeroMembers  
  266 ---- Fixed ---- ---- cevans@google.com Flash: memory corruption with large length in EAC3 packet CCProjectZeroMembers  
  268 ---- Fixed ---- ---- cevans@google.com Flash: memory corruption with excessive dimensions in H264 CCProjectZeroMembers  
  276 ---- Fixed ---- ---- cevans@google.com Flash: not great ASLR for the Flash heap on Win7 64-bit CCProjectZeroMembers  
  278 ---- Fixed ---- ---- cevans@google.com Flash: broker-based sandbox escape via forward slash instead of backslash CCProjectZeroMembers  
  279 ---- Fixed ---- ---- cevans@google.com Flash: broker-based sandbox escape via unexpected directory lock CCProjectZeroMembers  
  280 ---- Fixed ---- ---- cevans@google.com Flash: broker-based sandbox escape via timing attack against file moving CCProjectZeroMembers  
  290 ---- Fixed ---- ---- cevans@google.com Adobe Flash: NetStream Missing Constructor Normal Check CCProjectZeroMembers  
  291 ---- Fixed ---- ---- scvitti@google.com Adobe Flash stack corruption when decoding JPEG-XR image CCProjectZeroMembers  
  300 ---- Fixed ---- ---- cevans@google.com Adobe Flash: buffer overflow in Sound.extract() CCProjectZeroMembers  
  301 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Normal Check Should Verify that UserData and Destructor are null CCProjectZeroMembers  
  302 ---- Fixed ---- ---- cevans@google.com Security: Flash Player Integer Overflow in Function.apply CCProjectZeroMembers  
  303 ---- Fixed ---- ---- cevans@google.com Security: Use After Free in Flash AVSS.setSubscribedTags can cause memory corruption CCProjectZeroMembers  
  316 ---- Fixed ---- ---- cevans@google.com Flash: Uninitialized stack variable while parsing an MPD file can corrupt memory CCProjectZeroMembers  
  318 ---- Fixed ---- ---- cevans@google.com Flash: memory corruption with ShaderJob width and height TOCTOU condition CCProjectZeroMembers  
  319 ---- Fixed ---- ---- cevans@google.com Flash: uninitialized memory information leak when shading into a ByteArray CCProjectZeroMembers  
  322 ---- Fixed ---- ---- cevans@google.com Flash: info leak due to uninitialized registers when executing Shaders CCProjectZeroMembers  
  323 ---- Fixed ---- ---- cevans@google.com Flash: integer overflow / memory corruption with excessive number of shader input channels CCProjectZeroMembers  
  324 ---- Fixed ---- ---- cevans@google.com Flash: out-of-bounds write in ShaderParameter resolution CCProjectZeroMembers  
  326 ---- Fixed ---- ---- cevans@google.com Flash: Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture CCProjectZeroMembers  
  330 ---- Fixed ---- ---- cevans@google.com Flash: AS2 Use After Free in TextField.filters (again) CCProjectZeroMembers  
  336 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Type Confusion in NetConnection with __proto__ CCProjectZeroMembers  
  337 ---- Fixed ---- ---- cevans@google.com FileReferenceList.browse does not check that fileList is a ScriptObject CCProjectZeroMembers  
  338 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Type Confusion in SharedObject.data CCProjectZeroMembers  
  342 ---- Fixed ---- ---- cevans@google.com Flash AS2 Use After Free while setting TextField.filters CCProjectZeroMembers  
  344 ---- Fixed ---- ---- cevans@google.com Adobe Flash: SharedObject Destructor Sets data to Normal Type CCProjectZeroMembers  
  349 ---- Fixed ---- ---- cevans@google.com Flash: use-after-free in display list handling from KEEN Team, round 2 CCProjectZeroMembers  
  350 ---- Fixed ---- ---- mjurczyk@google.com Adobe Flash bad free condition CCProjectZeroMembers  
  352 ---- Fixed ---- ---- cevans@google.com Use-after-free in NetConnection.connect CCProjectZeroMembers  
  354 ---- Fixed ---- ---- cevans@google.com Flash: Boundless Tunes - universal SOP bypass through ActionSctipt's Sound object CCProjectZeroMembers  
  355 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Use-after-free when setting variable CCProjectZeroMembers  
  356 ---- Fixed ---- ---- cevans@google.com Use-after-free when setting internal boolean CCProjectZeroMembers  
  357 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Use-after-free when setting internal number CCProjectZeroMembers  
  358 ---- Fixed ---- ---- cevans@google.com Flash AS2 Use After Free in DisplacementMapFilter.mapBitmap CCProjectZeroMembers  
  359 ---- Fixed ---- ---- cevans@google.com Flash UAF with MovieClip.scrollRect in AS2 CCProjectZeroMembers  
  360 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Use-after-free when setting value CCProjectZeroMembers  
  361 ---- Fixed ---- ---- mjurczyk@google.com Adobe Flash out-of-bounds memory read while parsing a mutated SWF file CCProjectZeroMembers  
  362 ---- Fixed ---- ---- mjurczyk@google.com Adobe Flash out-of-bounds memory read while parsing a mutated SWF file CCProjectZeroMembers  
  363 ---- Fixed ---- ---- mjurczyk@google.com Adobe Flash out-of-bounds memory read while parsing a mutated TTF file embedded in SWF CCProjectZeroMembers  
  365 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Use-after-free in XML.childNodes CCProjectZeroMembers  
  366 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Use-after-free when printing XML Attributes CCProjectZeroMembers  
  367 ---- Fixed ---- ---- cevans@google.com Flash UAF with Color.setRGB in AS2 CCProjectZeroMembers  
  371 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Use-after-free in Array.push CCProjectZeroMembers  
  372 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Use-after-free in Array.unshift CCProjectZeroMembers  
  374 ---- Fixed ---- ---- cevans@google.com Adobe Flash: Array.sort can go out of bounds CCProjectZeroMembers  
  375 ---- Fixed ---- ---- cevans@google.com Flash: uninitialized memory information leak when shading into a ByteArray (#2) CCProjectZeroMembers